Evolution of .NET: Advancing Post-Exploitation Tactics
PowerShell and .NET have been invaluable for post-exploitation over the last several years. Many red teams use open-source C# tools like SharpHound and Rubeus to analyze environments and reach their objectives.
While defenders can observe this behavior with AMSI and ETW, many public techniques exist to silence these data sources. However, these approaches do not prevent defenders from discovering artifacts left behind by the .NET runtime. The .NET tools used by red teams aren't perfect, either.
Public tools may have unhandled exceptions or use APIs that terminate the host process. With the shift to inline execution, these events threaten an implant's stability.
This talk follows Windows post-exploitation from its PowerShell origins a decade ago to modern .NET tradecraft to understand the current landscape and discuss future advances.